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intercepting API function calls issued bv said software component bv replacing the 
addresses of API functions to be intercepted in an import data table associated 
with said software component with addresses of stub functions, each stub 
function operative to call a security monitor function associated with a 
different API function: 



10 



intercepting non-API function calls issued bv said softw are component bv replacing 
the addresses of non-API functions to be intercepted in an import data table 
associated with said software component with addresses of stub functions. 
each stub function operative to call a security monitor function associated with 
a different non-API function: 



creating a call chain operative to permit distinguish inp; between function calls made 



bv said software component from function calls made b v said monitored 



application; 



15 



blocking intercepted API calls that are forbidden according to the security poUcy; and 
allovving intercepted API calls that are permitted according to the security policy. 



2. (Amended) The method according to claim 1, [wherein said step of intercepting comprises 
the steps of:] further comprising the step of injecting a security monitor implementing said 
secure sandbox into the address space of the monitored appIication[; and 

redirecting said preselected set of API calls issued by the software component to said 



3. (Amended) The method according to claim 1, wherein said step of blocking intercepted 
API calls comprises the step of [blocking intercepted] preventing the execution of API calls 
that are in [the preselected] said selected set of [APIs] API function calls which have been 
determined to have origmated bv said software component and which have been determ ined 

25 to be forbidden according to the security policy . 

4. (Amended) The method according to claim 1, wherein said step of allowing intercepted 
API calls comprises the step of allowing intercepted API calls that [are in the preselected set 
of APIs] have been detcnnined to have originated bv said monit ored application and which 
are permitted according to the security policy . 
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security monitor]. 
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- (Amended) A method of monitoring the 



execution of [a] an application and one or more 



software [component] components associated [with an appUcation] tfaerewdth in accordance 
with a predetennined security policy, said method comprising the steps of: 

[intercepting a preselected set of appUcation programming interface (API) calls issued 
by the application; 

intercepting non-API calls issued by the software component;] 

intercepting a selected set of application programming interface (API) jfunction calls 
issued by said monitored application by replacing the addresses of all API 
functions to be intercepted in an import data table associated with said 
monitored application with addresses of security monitor functions, each 
security monitor function associated with a different API function: 

intercepting API function calls issued bv said software component by replacing the 
addresses of API functions to be intercepted in an import data table associated 
with said software component with addresses of stub functions, each stub 
function operative to call a security monitor function associated with a 
different API function: 

intercepting non-API function calls issued by said software component by replacing 
the addresses of non-API functions to be intercepted in an import data table 
associated with said software component with addresses of stub functions, 
each stub function operative to call a security monitor function associated with 
a different non- API function: 

determining whether an intercepted API call issued by [the] said monitored 
application originated from a non-API call issued by the software component 
via the generation of a call chain by said software component when a non-API 
function is called : 

blocking intercepted API calls that originated with a non-API call from the software 
component that are forbidden according to the security policy; and 

allowing intercepted API calls that originated with a non-API call from the software 
component that are permitted according to the security policy. 



^, (Amended) The method according to claim [wherein said step of intercepting a 
preselected set of API calls issued by the application comprises the steps of:] further 
comprising the step of injecting a security monitor into the address space of the monitored 
application[; and 
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redirecting said preselected set of API calls issued by the application to said security 
monitor], 

I' ^ 

\ (Amended) The method according to claim |, [wherein said step of intercepting non-API 
calls issued by the software component comprises the steps of:] further com prising the step of 
5 injecting a security monitor into the address space of said monitored appl ication, said step of 
injecting comprising the steps of: 

Iflimchinp; sai d monitored application in suspend mode: 
allocating memory in the address space of said monitored application; 
copying a loading function to said allocated memory; 
10 creating a thread operatiye to execute said loading function w hich in turn functions to 

load said security monitor: 
installing means for the mterception of anphcation programming interface (APIl 
function calls made by said monitored application and said software 
component and non-API function calls made by said software component; 
15 unsuspending said thread and deallocating memory: 

unsuspending said monitored application and p ermitting it to execute, 
[injecting a security monitor into the address space of the monitored application; and 
redirecting said non-API calls issued by the software component to said security 
monitor.] 

20 \ (Amended) A method of monitoring the execution of [a] an application and one or more 
software [component] components associated [with an application] therewith in accordance 
with a predeteraiined security policy, said method comprising the steps of: 

injecting a security monitor into the address space of [the] said monitored application; 
generating a plurality of stub functions corresponding to application programming 
25 interface (API) function calls and non-API [functions] function calls which are 

caUed by the software component; 
redirecting all API calls and all non-API calls made by the software component; 
redirecting API calls made by [the] said monitored application to said security 
monitor; 

30 — setting a flag [with each call made by the] said software component makes a call to 

A 

either an API function or a non-API function; 
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redirecting a portion of API calls received by said plurality of stub functions to said 
security naonitor; 

redirecting said non-API calls made by the software component to their corresponding 

non-API functions; and 
applying the predetermined security policy to an API call when said flag is set. 



9^. (Amended) A method of monitoring the execution of [a] an application and one or more 
software [component] components associated [with an application] therewith in accordance 
with a predetermined security policy, said method comprising the steps oft 

applying interception to the application including all its modules whether loaded 

initially or during execution thereof; 
detecting the loading of a software component external to the application; 
applying interception to all calls made by the software component to functions located 

in other modules; and 
applying the security policy to said calls made by the software component. 

(Amended) A method of monitoring the execution of [a] an application and one or more 
software [component] components associated [with an application] therewith in accordance 
with a predeteraiined security policy, said method comprising the steps of: 



[applying] installing means for interception [to the] within said monitored appUcation 
including all [its] modules associated therewith whether loaded initially or 
during execution thereof; 

detecting the loading of a software component external to [the] said monitored 
application; 

[applying interception] installing means for intercepting [to] all API and non-API 
function calls made by the software component to functions located in other 
modules; -afid- 

setting a flag when a function call is issued by the software component to any 

function located in another module located external thereto: and 
[applying interception to API calls contained in a preselected set; and] 
applying the security policy to an API call wiien said flag is set. 
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Please/add new claims 




H^. (New) The method according to claim 1, wherein said software component comprises one 
of the following; ActiveX control, Java component and Netscape Plugin component 

r^. (New) The method according to claim ^, wherein said software component comprises one 
5 of the following: ActiveX control, Java component and Netscape Plugin component 

r3i^(New) The method according to claim Py wherein said software component comprises one 
of the following: ActiveX control, Java component and Netscape Plugin component. 

(New) The method according to claim p, wherein said software component comprises one 
of the following: ActiveX control, Java component and Netscape Plugin component 

10 15. (New) The method according to claim 1^ wherein said software component comprises 
one of the following: ActiveX control, Java component and Netscape Plugin component. 

(New) A method of creating a secure sandbox aroxmd both a monitored application and 
otie or more software components associated therewith in accordance with a predetermined 
security policy, said method comprising the steps of: 
15 intercepting a selected set of application programming interface (API) fimction calls 

issued by said monitored application by replacing the addresses of all API 
fimctions to be intercepted in an import data table associated with said 
monitored application with addresses of security monitor fimctions, each 
security monitor fimction associated with a different API fimction; 
20 detecting a load type API fimction call issued by said monitored application; 

blocking intercepted API calls that are forbidden according to the security policy; and 
allowing intercepted API calls that are permitted according to the security policy. 

(New) The method according to claim wherein said load type API fimction call 
comprises one API fimction call from the group consisting of CoGetClassObjectO, 
25 LoadLibraryO and LoadLibraryExO- 

r^. (New) The method according to claim fiarther comprising the steps of: 
upon detection of a load type API fimction call: 

intercepting API fimction calls issued by said software component by 
replacing the addresses of API fimctions to be intercepted in an import 

P-1203^US 6 



data table associated with said software component with addresses of 
stub functions, each stub function operative to call a security monitor 
function associated with a different API function; 
intercepting non-API function calls issued by said software component by 
5 replacing the addresses of non-API functions to be intercepted in an 

import data table associated with said software component with 
addresses of stub functions, each stub function operative to call a 
secxnity monitor function associated with a different non-API function; 
and 

1 0 creating a call chain operative to permit distinguishing between function calls 

made by said software component from function calls made by said 
monitored application. 

(New) The method according to claim rQ, wherein said step of detecting comprises the 
step of detecting one of the API functions from the group consisting of CoGetClassObjectQ, 
1 5 LoadLibraryO and LoadLibraryExQ^ 
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